SMBEnum

Sunday, August 09, 2009

I’m going to do a small series of posts about a bunch of the topics Jabra and I covered in our presentation on Sunday at DefCon, since we had a ton to cover and a lot of it probably deserves to have a permanent home on the web where people can look at it and talk about it if need be. Also slide-deck form probably isn’t good enough. Anyway, one of the things we discussed was a way to enumerate certain types of files on Windows from within Internet Explorer. This is almost exactly the same issue as the Gregory R. Panakkal’s sysimage disclosure from 2004, for those of you who remember your browser history. Except this variant does not use sysimage, but SMB.

If you’ve got Internet Explorer you can check out an example here. Jabra has since ported it into Wade’s BeEF as well. This isn’t extremely good at enumerating the entire system because it can only find images, CSS, JavaScript and the like. Other types of files don’t have cross zone information leakage - or no well known way to do that anyway. The point being you can get somewhat granular, and then use another more granular method like David Byrne’s res timing attack or my version without JavaScript to get non-image file detection. You can’t reliably use res timing for much though because it’s too slow. But by combining the two an attacker can pretty quickly enumerate programs on a system. Why is that useful? Well the attacker can launch highly targeted attacks once you know the user has certain programs installed.

Anyway, it’s my opinion that if sysimage needed to be fixed SMBenum too needs to be fixed since they provide virtually the same insights into a computer, using the same basic technique. Either way, it seemed bad enough to me that I thought it was worth writing up a tool to do it. You’ll note that it works differently on different systems, and there may be a way to optimize it, but I didn’t bother. There’s also a lot of images associated with lots of programs that I didn’t add in, but you get the basic idea.